Aguardic logoAguardic
Start Free Trial
Required for Healthcare AI

HIPAA Compliance for AI Systems. Automated.

Every AI output touching patient data is a potential HIPAA violation, and HTI-1 adds certification stakes for Predictive Decision Support Interventions. Aguardic enforces both in real time and generates the audit evidence OCR, HHS/ONC, and Joint Commission surveys ask for.

Start Free TrialTake the Free Audit

14-day free trial · No credit card · Free HIPAA policy pack

Does This Apply to You?

HIPAA Applies to Covered Entities and Business Associates

Covered Entities

  • Hospitals and health systems using AI for clinical decision support
  • Telehealth platforms with AI-powered patient triage or documentation
  • Clinics using AI scribes, chatbots, or diagnostic tools

Business Associates

  • SaaS companies building AI tools that process PHI
  • AI vendors providing models or agents to healthcare organizations
  • IT services and consultants managing health data infrastructure

If your AI system touches patient data in any form, HIPAA applies — regardless of whether you're a healthcare provider or a technology vendor.

How Aguardic Helps

Automate HIPAA Compliance for Every AI Interaction

PHI Protection

Detect and block Protected Health Information in AI-generated outputs, emails, documents, and code comments. Prevent unauthorized disclosure before it happens.

Access Controls

Ensure only authorized users and systems access patient data through AI tools. Enforce policies on who can query, share, and act on PHI.

Audit & Documentation

Maintain complete audit trails of every AI interaction with patient data. Evidence generated automatically — who triggered it, what was checked, and why it passed or failed.

Requirements Coverage

HIPAA & HTI-1 Coverage Matrix

Healthcare AI sits under HIPAA's Privacy and Security Rules plus ONC's HTI-1 Final Rule for Predictive Decision Support Interventions. This is the full section-to-control reference across both — what Aguardic enforces, the evidence it produces, and the work your compliance team, business associates, and certified health IT vendor still own.

3Covered
8Partial
1Not Covered
Total: 12
HIPAA Privacy & Security
Covered·

§ 164.502

Minimum Necessary

Limit PHI use and disclosure to the minimum necessary for the intended purpose.

How Aguardic helps

PHI detection policies block unnecessary exposure in emails, LLM prompts, documents, and code. Minimum necessary is enforced at every surface.

Evidence produced

Blocked violation logs · PHI detection records · policy evaluation trail

What you handle

Define what counts as necessary for each workflow and approve the role-based PHI scopes your operators use day to day.

Partial·

§ 164.312(a)

Access Control

Technical policies that allow access to ePHI only by authorized persons or software.

How Aguardic helps

Policy enforcement gates who and what can process PHI through AI systems. Does not manage identity provider configuration or user authentication.

Evidence produced

Policy evaluation logs · access decision records · violation trail

What you handle

Run your IdP (Okta, Azure AD, etc.), manage workforce roles, and configure role-based access before requests hit Aguardic.

Covered·

§ 164.312(c)

Integrity Controls

Protect ePHI from improper alteration or destruction throughout its lifecycle.

How Aguardic helps

PHI Integrity Violation rule detects unauthorized modifications to PHI across documents, AI outputs, and communications. Every evaluation is logged with full decision reasoning.

Evidence produced

PHI Integrity Violation detection logs · modification audit trail · policy evaluation records

What you handle

Define acceptable PHI modification workflows for clinical vs. administrative paths and approve the integrity policies applied.

Not Covered·

§ 164.312(d)

Person or Entity Authentication

Verify the identity of persons or entities seeking access to ePHI before granting it.

How Aguardic helps

Aguardic enforces policies after authentication — not the authentication itself. Pair with a dedicated identity provider.

What you handle

Deploy an identity provider (Okta, Azure AD, etc.) with MFA, and manage credential lifecycle for all persons and service accounts accessing ePHI.

Partial·

§ 164.312(e)

Transmission Security

Guard against unauthorized access to ePHI during electronic transmission across networks.

How Aguardic helps

Detects PHI in outbound communications (email, Slack, LLM API calls) and blocks before transmission. Does not handle transport-layer encryption.

Evidence produced

Blocked transmission logs · PHI detection records · outbound policy evaluation trail

What you handle

Enforce TLS on all ePHI-carrying channels, manage certificate rotation, and validate endpoint configuration for VPNs and encrypted email.

Partial·

§ 164.308

Administrative Security Management

Implement security management including risk analysis and ongoing risk management.

How Aguardic helps

Continuous policy enforcement demonstrates active security management. Does not cover full risk analysis methodology or workforce training.

Evidence produced

Continuous evaluation logs · compliance dashboard · policy version history

What you handle

Conduct and document the § 164.308(a)(1) risk analysis, run workforce security training, and maintain sanctions and incident-response programs.

Partial·

§ 164.530

Administrative Requirements & BAA Coverage

Maintain policies, procedures, training documentation, and business associate agreements for every vendor that touches PHI.

How Aguardic helps

BAA Compliance pack detects PHI shared with vendors, AI services, and subcontractors without BAA coverage, and flags BAAs missing § 164.504(e) required elements. Training and policy authorship still belong to your privacy team.

Evidence produced

PHI-to-vendor-without-BAA detections · AI service PHI indicators · BAA element gap reports · subcontractor chain analysis

What you handle

Draft and maintain HIPAA policies, run annual workforce training, track attestations, and negotiate BAA renewals with your vendors.

Partial·

§ 164.400-414

Breach Notification Rule

Detect potential PHI breaches, notify affected individuals within 60 days, report 500+ breaches to HHS, and include all § 164.404(c) required elements.

How Aguardic helps

Breach Notification pack detects breach indicators (unauthorized access, lost devices, bulk exfiltration), flags delayed-notification language, and reviews breach communications for missing § 164.404(c) elements. Aguardic surfaces signals; HHS and individual notification still runs through your incident response process.

Evidence produced

PHI breach indicator detections · incomplete notification flags · delayed notification alerts · 500+ breach HHS reporting gap signals

What you handle

Run the incident response process, determine whether an event is a reportable breach, send affected-individual notifications, and file HHS reports within the 60-day window.

HTI-1 & Healthcare AI Certification
Partial·

§ 170.315(b)(11)(iv)(A)

Source Attribute Disclosure for Predictive DSI

Certified health IT must display source attributes for predictive decision support interventions, including model purpose, training data characteristics, and intended use.

How Aguardic helps

HTI-1 PDSI pack's Source Attribute Missing rule flags PDSI content that ships without the ONC-required attribute set (purpose, training data, intended use, known risks). AI System Registry captures the same fields on the governance side. Rendering them on a certified EHR disclosure surface still needs vendor integration.

Evidence produced

Source attribute missing detections · AI System Registry exports · PDSI intended-use records

What you handle

Coordinate with your certified health IT vendor on the ONC-formatted disclosure surface. Map Aguardic's registry fields to ONC's required source attribute categories.

Partial·

§ 170.315(b)(11)(iv)(B)

Performance Testing and Validation

Document performance metrics, validation processes, and testing results for predictive DSI, including fairness and bias evaluation.

How Aguardic helps

HTI-1 PDSI pack's Performance Metrics Missing rule flags PDSI communications and documentation that lack validation data, fairness evaluation, or performance metrics. Continuous evaluation captures operational performance once deployed. Pre-deployment bias testing still needs ML tooling.

Evidence produced

Performance metrics missing detections · continuous evaluation logs · violation trend reports

What you handle

Run pre-deployment bias testing, fairness evaluation, and performance validation using dedicated ML validation tooling. Maintain methodology documentation alongside Aguardic's operational records.

Covered·

§ 170.315(b)(11)(iii)

Intervention Risk Management

Implement risk management for predictive DSI including monitoring, feedback mechanisms, and response to identified risks.

How Aguardic helps

Continuous policy enforcement with violation tracking constitutes active risk management. PDSI-specific policies monitor deployment, surface risk signals, and log mitigation actions.

Evidence produced

Policy enforcement logs · violation detection records · risk mitigation trail

What you handle

Define risk tolerance thresholds, staff the feedback review process, and approve risk response protocols with clinical and compliance leadership.

Partial·

§ 170.315(b)(11)(v)

Intervention Update and Decommission Tracking

Track material changes, updates, and decommissioning of predictive DSI across the deployment lifecycle.

How Aguardic helps

HTI-1 PDSI pack's Lifecycle Event Unlogged rule flags PDSI updates, retraining, and decommission events that ship without an audit entry. Policy versioning and AI System Registry add full change history. EHR-side certification status tracking still runs through your vendor.

Evidence produced

Lifecycle event detections · policy version history · AI System Registry change logs

What you handle

Coordinate with your certified health IT vendor on PDSI lifecycle events. Maintain the official decommission process and certification status updates.

Browse the HIPAA Policy Pack

Coverage mappings reflect Aguardic's current product capabilities mapped to the HIPAA Privacy and Security Rules and ONC's 45 CFR 170.315(b)(11) HTI-1 criteria. Validate with qualified HIPAA counsel and your certified health IT vendor for your specific use case. These mappings address technical and administrative safeguards; business associate agreements, organizational policy and procedure requirements, and certified EHR disclosure surfaces remain your responsibility.

Healthcare procurement deadline?

Answer your hospital vendor assessment with HIPAA + HTI-1 controls Aguardic enforces

Upload it. We draft answers citing § 164 sections, BAA-status lookups for every AI tool, and HTI-1 PDSI requirements — describing exactly what Aguardic enforces in production. Set up Aguardic once and the same answers ship on every hospital review going forward.

Upload questionnaire

Explore Other Frameworks

EU AI ActEU RegulationSOC 2Trust ServicesISO 42001AI ManagementColorado AI ActUS StateNIST AI RMFUS FederalAIUC-1AI Agent Security

View all compliance frameworks

Start Protecting Patient Data Today

Install the HIPAA policy pack, connect your AI systems, and start generating compliance evidence in minutes.

14-day free trial
No credit card required
Free HIPAA policy pack
Start Free Trial

Or explore the documentation

This page summarizes key provisions of the HIPAA Privacy, Security, and Breach Notification Rules for informational purposes only. Aguardic is not a law firm and this is not legal advice. Consult qualified counsel to assess your specific HIPAA obligations. Coverage mappings reflect Aguardic's current product capabilities as of April 2026.

HIPAA Compliance for AI Agents — Automate PHI Protection - Aguardic